]> git.ipfire.org Git - thirdparty/openvpn.git/commit
projects / thirdparty / openvpn.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7dfff75) | patch
Windows: enforce 'block-local' with WFP filters
authorHeiko Hund <heiko@ist.eigentlich.net>
Wed, 5 Jun 2024 12:38:56 +0000 (14:38 +0200)
committerGert Doering <gert@greenie.muc.de>
Wed, 5 Jun 2024 17:22:43 +0000 (19:22 +0200)
commitbf887c95e46c6892ac1f68be5559525f8d975530
treefa6856e37ab0b5401aefb1a53c550b1012be7ef4tree | snapshot
parent7dfff75659e6c06abe500f5b8716d9712aa41bcccommit | diff
Windows: enforce 'block-local' with WFP filters

In an attempt to better defend against the TunnelCrack attacks, enforce
that no traffic can pass to anything else than the VPN interface when
the 'block-local' flags is given with either --redirect-gateway or
--redirect-private.

Reuse much of the existing --block-outside-dns code, but make it more
general, so that it can also block any traffic, not just port 53.

Uses the Windows Filtering Platform for enforcement in addition to the
routes redirecting the networks into the tunnel.

Change-Id: Ic9bf797bfc7e2d471998a84cb0f071db3e4832ba
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240605123856.26267-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28717.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
15 files changed:
CMakeLists.txt diff | blob | blame | history
doc/man-sections/vpn-network-options.rst diff | blob | blame | history
include/openvpn-msg.h diff | blob | blame | history
src/openvpn/Makefile.am diff | blob | blame | history
src/openvpn/init.c diff | blob | blame | history
src/openvpn/route.c diff | blob | blame | history
src/openvpn/route.h diff | blob | blame | history
src/openvpn/tun.c diff | blob | blame | history
src/openvpn/wfp_block.c [moved from src/openvpn/block_dns.c with 63% similarity] diff | blob | blame | history
src/openvpn/wfp_block.h [moved from src/openvpn/block_dns.h with 83% similarity] diff | blob | blame | history
src/openvpn/win32.c diff | blob | blame | history
src/openvpn/win32.h diff | blob | blame | history
src/openvpnserv/CMakeLists.txt diff | blob | blame | history
src/openvpnserv/Makefile.am diff | blob | blame | history
src/openvpnserv/interactive.c diff | blob | blame | history
Mirror of https://github.com/OpenVPN/openvpn.git